Status

Released: 14/1/2008

Author

Pierre Parrend

Principles

Java is a language where the source code is quite intuitive to read. And in many cases, the compiled bytecode can also be reversed (or decompiled) into source code. This presents problems for projects that require confidentiality of the source code. This article provides an introduction to protecting bytecode through obfuscation.

How to recover Source Code from Bytecode?

There are a number of freely available Java decompilers that all provide similar functionality, including:

How to prevent Java code from being Reverse-engineered ?

Code Obfuscation. This is done mainly through variable renaming; see next paragraph for more precisions,

Suppression of End Of Line Characters. This makes the code difficult to parse,

Use of anonymous classes for handling events. This seems not to be handled by many Decompiler; however, JAD copes pretty well with this.

Class file encryption. This implies some overhead for uncyphering at runtime. Several tools are available:: Canner, by Cinnabar Systems, or JLock by JSoft. They are available for evaluation, and the first is proposed currently for Windows Platforms only.

Replacing the method names with certain characters e.g '/' or '.' in the class header causes the popular decompilation tools such as JAD to dump the source code which is incomprehensible (you cannot determine the control flow from the source).

Note: Beware of 100% Java solutions using encryption to protect class files as these are more than likely snake oil. Since the JVM has to read unencrypted class files at some point, even if the class files are encrypted on the disk, they will have to be decrypted before being passed to the JVM. An attacker could modify the local JVM to simply write the class files to disk in their unencrypted form at this point. (See: Javaworld article).Conjecture: It's is very easy to circumvent these methods to reveal bytecode using a Java profiler.

What obfuscation tools are available ?

A lot of tools exist for Java code Obfuscation. You can find extensive lists under following URLs, or simply type 'obfuscator' in your favorite search engine :